Initial access brokers target mid-sized businesses for ransomware

Initial access brokers (IABs) are the invisible engine of modern cybercrime. They don't execute ransomware attacks, but they do enable them.

Research from Check Point External Risk Management (formerly Cyberint) shows that IABs are increasingly targeting smaller businesses, with 60.5 percent of listings targeting SMBs (companies with $5M - $50M revenue), representing a new 'sweet spot' for attackers.

The IAB business model is based on breaking into a system and auctioning access to the highest bidder on the dark web. This allows ransomware groups, hacktivists, or state actors to 'log in and launch' their attacks. Selling access is lower-risk, scalable, and profitable for the IABs.

The US remained the top target in 2024, with 31 percent of all access listings. France and Brazil are fast-rising, however, likely due to growing digital footprints and weaker cyber defences, and there's been a 90 percent increase in IAB listings across the top 10 countries over last year.

"Initial Access Brokers are the venture capitalists of ransomware. They invest effort in breaches and profit by selling access, empowering the entire cybercrime supply chain," says Adi Bleih, security researcher at Check Point External Risk Management. "Organizations must shift from reactive to proactive security: patch aggressively, segment networks, and monitor deep and dark web chatter to disrupt access before it's sold."

Among other findings listings for VPN access have surged to 33 percent, closing in on RDP (55 percent) as attackers adapt to remote work environments. The report also shows 53 percent of compromised endpoints relied only on Windows Defender, suggesting poor investment in layered security.

Access is increasingly keenly priced too with 86 percent of access listings costing under $3,000, and some as low as $500.

You can find out more on the Check Point site.

Image credit: peshkov/depositphotos.com